A critical vulnerability, known as Zip Slip, has been discovered in the open-source data cleaning and transformation tool ‘OpenRefine’. This vulnerability allows attackers to import malicious code and execute arbitrary code on the victim’s computer.
OpenRefine is a powerful Java-based, free, open-source tool that is used for handling messy data. It can clean and convert data into different formats, as well as expand it with web services and external data.
According to SonarCloud, the Zip Slip vulnerability in OpenRefine enables attackers to overwrite existing files or extract contents to unexpected locations. This vulnerability is caused by insufficient path validation during the extraction of archives.
The project import feature of OpenRefine versions 3.7.3 and earlier is specifically vulnerable to the Zip Slip vulnerability (CVE-2023-37476) with a CVSS score of 7.8. Despite the fact that OpenRefine is designed to execute locally on a user’s computer, an attacker can trick a user into importing a malicious project file. Once this file is imported, the attacker gains the ability to run arbitrary code on the victim’s computer.
“The vulnerability gives attackers a strong primitive: writing files with arbitrary content to an arbitrary location on the filesystem. For applications running with root privileges, there are dozens of possibilities to turn this into arbitrary code execution on the operating system: adding a new user to the passwd file, adding an SSH key, creating a cron job, and more,” said researchers.
In order to mitigate this vulnerability, OpenRefine has released version 3.7.4, which contains a fix for the Zip Slip issue. It is highly recommended that users update to OpenRefine 3.7.4 as soon as possible to protect themselves from potential attacks.
In the meantime, users can also take advantage of Patch Manager Plus, a patch management tool that can quickly patch over 850 third-party applications. This can help protect users from vulnerabilities and ensure 100% security.
To summarize, the Zip Slip vulnerability in OpenRefine poses a serious threat to users, as it allows attackers to execute arbitrary code on their computers. By updating to OpenRefine 3.7.4 and utilizing patch management tools like Patch Manager Plus, users can safeguard their systems from potential attacks. It is crucial for users to stay vigilant and take necessary precautions to protect their data and systems from evolving cybersecurity threats.